!434 fix log printing in tpcm_kunpeng module

From: @zhangqiumiao 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng

add-tpcm-support-with-ipmi-channel.patch

@@ -31,7 +31,7 @@ index b26774b..935195f 100644
  };
  
 +module = {
-+  name = tpcm;
++  name = tpcm_kunpeng;
 +  common = commands/efi/tpcm.c;
 +  enable = efi;
 +};
@@ -437,8 +437,8 @@ index 0000000..0803b9b
 +                                       &response_length, NULL);
 +  if (status != GRUB_EFI_SUCCESS)
 +    {
-+      grub_printf ("excute_ipmi_cmd failed, request sub_cmd:%d, ret:%lu\n",
-+                   request_data.SubCmd, status);
++      grub_dprintf ("tpcm", "excute_ipmi_cmd failed, request sub_cmd:%d, ret:%lu\n",
++                    request_data.SubCmd, status);
 +      /*  if we excute_ipmi_cmd, it could be the fllowing results:
 +       *  1. uefi have this interface, but did not implement it.
 +       *  2. uefi have implemented, but bmc did not support TPCM

backport-CVE-2023-4692-fs-ntfs-Fix-an-OOB-write-when-parsing-the.patch

@@ -0,0 +1,96 @@
+From 998f950383270b8494efd17738cf4fb358705c6c Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:31:57 +0300
+Subject: [PATCH 1/6] fs/ntfs: Fix an OOB write when parsing the
+ $ATTRIBUTE_LIST attribute for the $MFT file
+
+When parsing an extremely fragmented $MFT file, i.e., the file described
+using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
+containing bytes read from the underlying drive to store sector numbers,
+which are consumed later to read data from these sectors into another buffer.
+
+These sectors numbers, two 32-bit integers, are always stored at predefined
+offsets, 0x10 and 0x14, relative to first byte of the selected entry within
+the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
+
+However, when parsing a specially-crafted file system image, this may cause
+the NTFS code to write these integers beyond the buffer boundary, likely
+causing the GRUB memory allocator to misbehave or fail. These integers contain
+values which are controlled by on-disk structures of the NTFS file system.
+
+Such modification and resulting misbehavior may touch a memory range not
+assigned to the GRUB and owned by firmware or another EFI application/driver.
+
+This fix introduces checks to ensure that these sector numbers are never
+written beyond the boundary.
+
+Fixes: CVE-2023-4692
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea
+Conflict:NA
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 2f34f76..c8d3683 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+     }
+   if (at->attr_end)
+     {
+-      grub_uint8_t *pa;
++      grub_uint8_t *pa, *pa_end;
+ 
+       at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+       if (at->emft_buf == NULL)
+@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	    }
+ 	  at->attr_nxt = at->edat_buf;
+ 	  at->attr_end = at->edat_buf + u32at (pa, 0x30);
++	  pa_end = at->edat_buf + n;
+ 	}
+       else
+ 	{
+ 	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
+ 	  at->attr_end = at->attr_end + u32at (pa, 4);
++	  pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+ 	}
+       at->flags |= GRUB_NTFS_AF_ALST;
+       while (at->attr_nxt < at->attr_end)
+@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	  at->flags |= GRUB_NTFS_AF_GPOS;
+ 	  at->attr_cur = at->attr_nxt;
+ 	  pa = at->attr_cur;
++
++	  if ((pa >= pa_end) || (pa_end - pa < 0x18))
++	    {
++	      grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++	      return NULL;
++	    }
++
+ 	  grub_set_unaligned32 ((char *) pa + 0x10,
+ 				grub_cpu_to_le32 (at->mft->data->mft_start));
+ 	  grub_set_unaligned32 ((char *) pa + 0x14,
+@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	    {
+ 	      if (*pa != attr)
+ 		break;
++
++              if ((pa >= pa_end) || (pa_end - pa < 0x18))
++                {
++	          grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++	          return NULL;
++	        }
++
+ 	      if (read_attr
+ 		  (at, pa + 0x10,
+ 		   u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
+-- 
+2.19.1
+

backport-CVE-2023-4693-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the.patch

@@ -0,0 +1,61 @@
+From 0636bff015fe6f2df6975cdfac6e264e2649fc26 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:32:33 +0300
+Subject: [PATCH 2/6] fs/ntfs: Fix an OOB read when reading data from the
+ resident $DATA attribute
+
+When reading a file containing resident data, i.e., the file data is stored in
+the $DATA attribute within the NTFS file record, not in external clusters,
+there are no checks that this resident data actually fits the corresponding
+file record segment.
+
+When parsing a specially-crafted file system image, the current NTFS code will
+read the file data from an arbitrary, attacker-chosen memory offset and of
+arbitrary, attacker-chosen length.
+
+This allows an attacker to display arbitrary chunks of memory, which could
+contain sensitive information like password hashes or even plain-text,
+obfuscated passwords from BS EFI variables.
+
+This fix implements a check to ensure that resident data is read from the
+corresponding file record segment only.
+
+Fixes: CVE-2023-4693
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94
+Conflict:NA
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index c8d3683..4d1fe42 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+     {
+       if (ofs + len > u32at (pa, 0x10))
+ 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+-      grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
++
++      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
++
++      if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
++	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
+       return 0;
+     }
+ 
+-- 
+2.19.1
+

backport-CVE-2024-1048-grub-set-bootflag-Conservative-partial-fix.patch

@@ -0,0 +1,153 @@
+From 77f0ca016ae45fd5471cc89ac472868d94b8ed67 Mon Sep 17 00:00:00 2001
+From: Solar Designer <solar@openwall.com>
+Date: Tue, 6 Feb 2024 21:39:41 +0100
+Subject: [PATCH] grub-set-bootflag: Conservative partial fix for CVE-2024-1048
+
+Following up on CVE-2019-14865 and taking a fresh look at
+grub2-set-bootflag now (through my work at CIQ on Rocky Linux), I saw some
+other ways in which users could still abuse this little program:
+
+1. After CVE-2019-14865 fix, grub2-set-bootflag no longer rewrites the
+grubenv file in-place, but writes into a temporary file and renames it
+over the original, checking for error returns from each call first.
+This prevents the original file truncation vulnerability, but it can
+leave the temporary file around if the program is killed before it can
+rename or remove the file.  There are still many ways to get the program
+killed, such as through RLIMIT_FSIZE triggering SIGXFSZ (tested,
+reliable) or by careful timing (tricky) of signals sent by process group
+leader, pty, pre-scheduled timers, SIGXCPU (probably not an exhaustive
+list).  Invoking the program multiple times fills up /boot (or if /boot
+is not separate, then it can fill up the root filesystem).  Since the
+files are tiny, the filesystem is likely to run out of free inodes
+before it'd run out of blocks, but the effect is similar - can't create
+new files after this point (but still can add data to existing files,
+such as logs).
+
+2. After CVE-2019-14865 fix, grub2-set-bootflag naively tries to protect
+itself from signals by becoming full root.  (This does protect it from
+signals sent by the user directly to the PID, but e.g. "kill -9 -1" by
+the user still works.)  A side effect of such "protection" is that it's
+possible to invoke more concurrent instances of grub2-set-bootflag than
+the user's RLIMIT_NPROC would normally permit (as specified e.g. in
+/etc/security/limits.conf, or say in Apache httpd's RLimitNPROC if
+grub2-set-bootflag would be abused by a website script), thereby
+exhausting system resources (e.g., bypassing RAM usage limit if
+RLIMIT_AS was also set).
+
+3. umask is inherited.  Again, due to how the CVE-2019-14865 fix creates
+a new file, and due to how mkstemp() works, this affects grubenv's new
+file permissions.  Luckily, mkstemp() forces them to be no more relaxed
+than 0600, but the user ends up being able to set them e.g. to 0.
+Luckily, at least in my testing GRUB still works fine even when the file
+has such (lack of) permissions.
+
+This commit deals with the abuses above as follows:
+
+1. RLIMIT_FSIZE is pre-checked, so this specific way to get the process
+killed should no longer work.  However, this isn't a complete fix
+because there are other ways to get the process killed after it has
+created the temporary file.
+
+The commit also fixes bug 1975892 ("RFE: grub2-set-bootflag should not
+write the grubenv when the flag being written is already set") and
+similar for "menu_show_once", which further reduces the abuse potential.
+
+2. RLIMIT_NPROC bypass should be avoided by not becoming full root (aka
+dropping the partial "kill protection").
+
+3. A safe umask is set.
+
+This is a partial fix (temporary files can still accumulate, but this is
+harder to trigger).
+
+While at it, this commit also fixes potential 1- or 2-byte over-read of
+env[] if its content is malformed - this was not a security issue since the
+grubenv file is trusted input, and the fix is just for robustness.
+
+Reference:https://src.fedoraproject.org/rpms/grub2/c/de8520b84a00acd5152bfacb433cc577fe825bca?branch=rawhide
+Conflict:NA
+
+Signed-off-by: Solar Designer <solar@openwall.com>
+---
+ util/grub-set-bootflag.c | 30 +++++++++++++++++-------------
+ 1 file changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
+index d1c5e28..6b2561c 100644
+--- a/util/grub-set-bootflag.c
++++ b/util/grub-set-bootflag.c
+@@ -33,6 +33,8 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <sys/stat.h>
++#include <sys/resource.h>
+ 
+ #define GRUBENV "/" GRUB_BOOT_DIR_NAME "/" GRUB_DIR_NAME "/" GRUB_ENVBLK_DEFCFG
+ #define GRUBENV_SIZE 1024
+@@ -55,12 +57,17 @@ static void usage(void)
+ int main(int argc, char *argv[])
+ {
+   /* NOTE buf must be at least the longest bootflag length + 4 bytes */
+-  char env[GRUBENV_SIZE + 1], buf[64], *s;
++  char env[GRUBENV_SIZE + 1 + 2], buf[64], *s;
+   /* +1 for 0 termination, +6 for "XXXXXX" in tmp filename */
+   char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 6 + 1];
+   const char *bootflag;
+   int i, fd, len, ret;
+   FILE *f;
++  struct rlimit rlim;
++
++  if (getrlimit(RLIMIT_FSIZE, &rlim) || rlim.rlim_cur < GRUBENV_SIZE || rlim.rlim_max < GRUBENV_SIZE)
++    return 1;
++  umask(077);
+ 
+   if (argc != 2)
+     {
+@@ -82,20 +89,11 @@ int main(int argc, char *argv[])
+   len = strlen (bootflag);
+ 
+   /*
+-   * Really become root. setuid avoids an user killing us, possibly leaking
+-   * the tmpfile. setgid avoids the new grubenv's gid being that of the user.
++   * setegid avoids the new grubenv's gid being that of the user.
+    */
+-  ret = setuid(0);
+-  if (ret)
+-    {
+-      perror ("Error setuid(0) failed");
+-      return 1;
+-    }
+-
+-  ret = setgid(0);
+-  if (ret)
++  if (setegid(0))
+     {
+-      perror ("Error setgid(0) failed");
++      perror ("Error setegid(0) failed");
+       return 1;
+     }
+ 
+@@ -124,6 +122,10 @@ int main(int argc, char *argv[])
+ 
+   /* 0 terminate env */
+   env[GRUBENV_SIZE] = 0;
++	
++  /* not a valid flag value */
++  env[GRUBENV_SIZE + 1] = 0;
++  env[GRUBENV_SIZE + 2] = 0;
+ 
+   if (strncmp (env, GRUB_ENVBLK_SIGNATURE, strlen (GRUB_ENVBLK_SIGNATURE)))
+     {
+@@ -159,6 +161,8 @@ int main(int argc, char *argv[])
+ 
+   /* The grubenv is not 0 terminated, so memcpy the name + '=' , '1', '\n' */
+   snprintf(buf, sizeof(buf), "%s=1\n", bootflag);
++  if (!memcmp(s, buf, len + 3))
++    return 0; /* nothing to do */
+   memcpy(s, buf, len + 3);
+ 
+ 
+-- 
+2.19.1
+

backport-CVE-2024-1048-grub-set-bootflag-Exit-calmly-when-not.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Solar Designer <solar@openwall.com>
+Date: Tue, 6 Feb 2024 22:05:45 +0100
+Subject: [PATCH] grub-set-bootflag: Exit calmly when not running as root
+ 
+Exit calmly when not installed SUID root and invoked by non-root.  This
+allows installing user/grub-boot-success.service unconditionally while
+supporting non-SUID installation of the program for some limited usage.
+
+Reference:https://src.fedoraproject.org/rpms/grub2/c/de8520b84a00acd5152bfacb433cc577fe825bca?branch=rawhide
+Conflict:NA
+ 
+Signed-off-by: Solar Designer <solar@openwall.com>
+---
+ util/grub-set-bootflag.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+ 
+diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
+index 514c4f9091ac..31a868aeca8a 100644
+--- a/util/grub-set-bootflag.c
++++ b/util/grub-set-bootflag.c
+@@ -98,6 +98,17 @@ int main(int argc, char *argv[])
+   bootflag = bootflags[i];
+   len = strlen (bootflag);
+ 
++  /*
++   * Exit calmly when not installed SUID root and invoked by non-root.  This
++   * allows installing user/grub-boot-success.service unconditionally while
++   * supporting non-SUID installation of the program for some limited usage.
++   */
++  if (geteuid())
++    {
++      printf ("grub-set-bootflag not running as root, no action taken\n");
++      return 0;
++    }
++
+   /*
+    * setegid avoids the new grubenv's gid being that of the user.
+    */
+

backport-CVE-2024-1048-grub-set-bootflag-More-complete-fix.patch

@@ -0,0 +1,191 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Solar Designer <solar@openwall.com>
+Date: Tue, 6 Feb 2024 21:56:21 +0100
+Subject: [PATCH] grub-set-bootflag: More complete fix for CVE-2024-1048
+ 
+Switch to per-user fixed temporary filenames along with a weird locking
+mechanism, which is explained in source code comments.  This is a more
+complete fix than the previous commit (temporary files can't accumulate).
+Unfortunately, it introduces new risks (by working on a temporary file
+shared between the user's invocations), which are _hopefully_ avoided by
+the patch's elaborate logic.  I actually got it wrong at first, which
+suggests that this logic is hard to reason about, and more errors or
+omissions are possible.  It also relies on the kernel's primitives' exact
+semantics to a greater extent (nothing out of the ordinary, though).
+ 
+Remaining issues that I think cannot reasonably be fixed without a
+redesign (e.g., having per-flag files with nothing else in them) and
+without introducing new issues:
+ 
+A. A user can still revert a concurrent user's attempt of setting the
+other flag - or of making other changes to grubenv by means other than
+this program.
+ 
+B. One leftover temporary file per user is still possible.
+
+Reference:https://src.fedoraproject.org/rpms/grub2/c/de8520b84a00acd5152bfacb433cc577fe825bca?branch=rawhide
+Conflict:NA
+ 
+Signed-off-by: Solar Designer <solar@openwall.com>
+---
+ util/grub-set-bootflag.c | 95 ++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 79 insertions(+), 16 deletions(-)
+ 
+diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
+index 5bbbef804391..514c4f9091ac 100644
+--- a/util/grub-set-bootflag.c
++++ b/util/grub-set-bootflag.c
+@@ -33,6 +33,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <sys/file.h>
+ #include <sys/stat.h>
+ #include <sys/resource.h>
+ 
+@@ -60,15 +61,12 @@ int main(int argc, char *argv[])
+ {
+   /* NOTE buf must be at least the longest bootflag length + 4 bytes */
+   char env[GRUBENV_SIZE + 1 + 2], buf[64], *s;
+-  /* +1 for 0 termination, +6 for "XXXXXX" in tmp filename */
+-  char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 6 + 1];
++  /* +1 for 0 termination, +11 for ".%u" in tmp filename */
++  char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 11 + 1];
+   const char *bootflag;
+   int i, fd, len, ret;
+   FILE *f;
+-  struct rlimit rlim;
+ 
+-  if (getrlimit(RLIMIT_FSIZE, &rlim) || rlim.rlim_cur < GRUBENV_SIZE || rlim.rlim_max < GRUBENV_SIZE)
+-    return 1;
+   umask(077);
+ 
+   if (argc != 2)
+@@ -105,7 +103,7 @@ int main(int argc, char *argv[])
+    */
+   if (setegid(0))
+     {
+-      perror ("Error setegid(0) failed");
++      perror ("setegid(0) failed");
+       return 1;
+     }
+ 
+@@ -176,19 +174,82 @@ int main(int argc, char *argv[])
+     return 0; /* nothing to do */
+   memcpy(s, buf, len + 3);
+ 
++  struct rlimit rlim;
++  if (getrlimit(RLIMIT_FSIZE, &rlim) || rlim.rlim_cur < GRUBENV_SIZE || rlim.rlim_max < GRUBENV_SIZE)
++    {
++      fprintf (stderr, "Resource limits undetermined or too low\n");
++      return 1;
++    }
++
++  /*
++   * Here we work under the premise that we shouldn't write into the target
++   * file directly because we might not be able to have all of our changes
++   * written completely and atomically.  That was CVE-2019-14865, known to
++   * have been triggerable via RLIMIT_FSIZE.  While we've dealt with that
++   * specific attack via the check above, there may be other possibilities.
++   */
+ 
+   /*
+    * Create a tempfile for writing the new env.  Use the canonicalized filename
+    * for the template so that the tmpfile is in the same dir / on same fs.
++   *
++   * We now use per-user fixed temporary filenames, so that a user cannot cause
++   * multiple files to accumulate.
++   *
++   * We don't use O_EXCL so that a stale temporary file doesn't prevent further
++   * usage of the program by the user.
+    */
+-  snprintf(tmp_filename, sizeof(tmp_filename), "%sXXXXXX", env_filename);
+-  fd = mkstemp(tmp_filename);
++  snprintf(tmp_filename, sizeof(tmp_filename), "%s.%u", env_filename, getuid());
++  fd = open(tmp_filename, O_CREAT | O_WRONLY, 0600);
+   if (fd == -1)
+     {
+       perror ("Creating tmpfile failed");
+       return 1;
+     }
+ 
++  /*
++   * The lock prevents the same user from reaching further steps ending in
++   * rename() concurrently, in which case the temporary file only partially
++   * written by one invocation could be renamed to the target file by another.
++   *
++   * The lock also guards the slow fsync() from concurrent calls.  After the
++   * first time that and the rename() complete, further invocations for the
++   * same flag become no-ops.
++   *
++   * We lock the temporary file rather than the target file because locking the
++   * latter would allow any user having SIGSTOP'ed their process to make all
++   * other users' invocations fail (or lock up if we'd use blocking mode).
++   *
++   * We use non-blocking mode (LOCK_NB) because the lock having been taken by
++   * another process implies that the other process would normally have already
++   * renamed the file to target by the time it releases the lock (and we could
++   * acquire it), so we'd be working directly on the target if we proceeded,
++   * which is undesirable, and we'd kind of fail on the already-done rename.
++   */
++  if (flock(fd, LOCK_EX | LOCK_NB))
++    {
++      perror ("Locking tmpfile failed");
++      return 1;
++    }
++
++  /*
++   * Deal with the potential that another invocation proceeded all the way to
++   * rename() and process exit while we were between open() and flock().
++   */
++  {
++    struct stat st1, st2;
++    if (fstat(fd, &st1) || stat(tmp_filename, &st2))
++      {
++        perror ("stat of tmpfile failed");
++        return 1;
++      }
++    if (st1.st_dev != st2.st_dev || st1.st_ino != st2.st_ino)
++      {
++        fprintf (stderr, "Another invocation won race\n");
++        return 1;
++      }
++  }
++
+   f = fdopen (fd, "w");
+   if (!f)
+     {
+@@ -213,6 +274,14 @@ int main(int argc, char *argv[])
+       return 1;     
+     }
+ 
++  ret = ftruncate (fileno (f), GRUBENV_SIZE);
++  if (ret)
++    {
++      perror ("Error truncating tmpfile");
++      unlink(tmp_filename);
++      return 1;
++    }
++
+   ret = fsync (fileno (f));
+   if (ret)
+     {
+@@ -221,15 +290,9 @@ int main(int argc, char *argv[])
+       return 1;
+     }
+ 
+-  ret = fclose (f);
+-  if (ret)
+-    {
+-      perror ("Error closing tmpfile");
+-      unlink(tmp_filename);
+-      return 1;
+-    }
+-
+   /*
++   * We must not close the file before rename() as that would remove the lock.
++   *
+    * And finally rename the tmpfile with the new env over the old env, the
+    * linux kernel guarantees that this is atomic (from a syscall pov).
+    */
+

backport-commands-acpi-Fix-calculation-of-ACPI-tables-address.patch

@@ -0,0 +1,84 @@
+From 63fc253fc9f148c09d5bb38971edcb50dc090f9d Mon Sep 17 00:00:00 2001
+From: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+Date: Mon, 11 Dec 2023 17:20:25 +0800
+Subject: commands/acpi: Fix calculation of ACPI tables addresses when
+ processing RSDT and XSDT
+
+According to the ACPI specification the XSDT Entry field contains an array
+of 64-bit physical addresses which points to other DESCRIPTION_HEADERs. However,
+the entry_ptr iterator is defined as a 32-bit pointer. It means each 64-bit
+entry in the XSDT table is treated as two separate 32-bit entries then. Fix the
+issue by using correct addresses sizes when processing RSDT and XSDT tables.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/patch/?id=63fc253fc9f148c09d5bb38971edcb50dc090f9d
+Conflict:NA
+
+Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/acpi.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
+index 1c03446..77be99a 100644
+--- a/grub-core/commands/acpi.c
++++ b/grub-core/commands/acpi.c
+@@ -490,12 +490,12 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)
+ 
+   if (rsdp)
+     {
+-      grub_uint32_t *entry_ptr;
++      grub_uint8_t *entry_ptr;
+       char *exclude = 0;
+       char *load_only = 0;
+       char *ptr;
+-      /* RSDT consists of header and an array of 32-bit pointers. */
+-      struct grub_acpi_table_header *rsdt;
++      grub_size_t tbl_addr_size;
++      struct grub_acpi_table_header *table_head;
+ 
+       exclude = state[0].set ? grub_strdup (state[0].arg) : 0;
+       if (exclude)
+@@ -515,20 +515,31 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)
+       rev1 = ! rsdp->revision;
+       rev2 = rsdp->revision;
+       if (rev2 && ((struct grub_acpi_table_header *) (grub_addr_t) ((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr) != NULL)
+-	rsdt = (struct grub_acpi_table_header *) (grub_addr_t) ((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr;
++	{
++	  /* XSDT consists of header and an array of 64-bit pointers. */
++	  table_head = (struct grub_acpi_table_header *) (grub_addr_t) ((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr;
++	  tbl_addr_size = sizeof (((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr);
++	}
+       else
+-	rsdt = (struct grub_acpi_table_header *) (grub_addr_t) rsdp->rsdt_addr;
++	{
++	  /* RSDT consists of header and an array of 32-bit pointers. */
++	  table_head = (struct grub_acpi_table_header *) (grub_addr_t) rsdp->rsdt_addr;
++	  tbl_addr_size = sizeof (rsdp->rsdt_addr);
++	}
+ 
+       /* Load host tables. */
+-      for (entry_ptr = (grub_uint32_t *) (rsdt + 1);
+-	   entry_ptr < (grub_uint32_t *) (((grub_uint8_t *) rsdt)
+-					  + rsdt->length);
+-	   entry_ptr++)
++      for (entry_ptr = (grub_uint8_t *) (table_head + 1);
++	   entry_ptr < (grub_uint8_t *) (((grub_uint8_t *) table_head) + table_head->length);
++	   entry_ptr += tbl_addr_size)
+ 	{
+ 	  char signature[5];
+ 	  struct efiemu_acpi_table *table;
+-	  struct grub_acpi_table_header *curtable
+-	    = (struct grub_acpi_table_header *) (grub_addr_t) *entry_ptr;
++	  struct grub_acpi_table_header *curtable;
++	  if (tbl_addr_size == sizeof (rsdp->rsdt_addr))
++	    curtable = (struct grub_acpi_table_header *) (grub_addr_t) *((grub_uint32_t *) entry_ptr);
++	  else
++	    curtable = (struct grub_acpi_table_header *) (grub_addr_t) *((grub_uint64_t *) entry_ptr);
++
+ 	  signature[4] = 0;
+ 	  for (i = 0; i < 4;i++)
+ 	    signature[i] = grub_tolower (curtable->signature[i]);
+-- 
+cgit v1.1
+

backport-commands-acpi-Use-xsdt_addr-if-present.patch

@@ -0,0 +1,38 @@
+From b2b477e6b23a207321e2f9d7fde1a1624ef318dc Mon Sep 17 00:00:00 2001
+From: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+Date: Tue, 13 Jun 2023 11:17:36 +0800
+Subject: [PATCH] commands/acpi: Use xsdt_addr if present
+
+According to the ACPI specification, in ACPI 2.0 or later, an
+ACPI-compatible OS must use the XSDT if present. So, we should
+use xsdt_addr instead of rsdt_addr if xsdt_addr is valid.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b2b477e6b23a207321e2f9d7fde1a1624ef318dc
+Conflict:NA
+
+Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/acpi.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
+index deec4bb43..1c034463c 100644
+--- a/grub-core/commands/acpi.c
++++ b/grub-core/commands/acpi.c
+@@ -514,7 +514,11 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)
+       /* Set revision variables to replicate the same version as host. */
+       rev1 = ! rsdp->revision;
+       rev2 = rsdp->revision;
+-      rsdt = (struct grub_acpi_table_header *) (grub_addr_t) rsdp->rsdt_addr;
++      if (rev2 && ((struct grub_acpi_table_header *) (grub_addr_t) ((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr) != NULL)
++	rsdt = (struct grub_acpi_table_header *) (grub_addr_t) ((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr;
++      else
++	rsdt = (struct grub_acpi_table_header *) (grub_addr_t) rsdp->rsdt_addr;
++
+       /* Load host tables. */
+       for (entry_ptr = (grub_uint32_t *) (rsdt + 1);
+ 	   entry_ptr < (grub_uint32_t *) (((grub_uint8_t *) rsdt)
+-- 
+2.27.0
+

backport-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch

@@ -0,0 +1,64 @@
+From 4e1d08ad2465dcc2c79d3be9c92ec166d8420a98 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:38:19 +0300
+Subject: [PATCH 5/6] fs/ntfs: Fix an OOB read when parsing a volume label
+
+This fix introduces checks to ensure that an NTFS volume label is always
+read from the corresponding file record segment.
+
+The current NTFS code allows the volume label string to be read from an
+arbitrary, attacker-chosen memory location. However, the bytes read are
+always treated as UTF-16LE. So, the final string displayed is mostly
+unreadable and it can't be easily converted back to raw bytes.
+
+The lack of this check is a minor issue, likely not causing a significant
+data leak.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=1fe82c41e070385e273d7bb1cfb482627a3c28e8
+Conflict:NA
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 2404566..e26dd59 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -1209,13 +1209,29 @@ grub_ntfs_label (grub_device_t device, char **label)
+ 
+   init_attr (&mft->attr, mft);
+   pa = find_attr (&mft->attr, GRUB_NTFS_AT_VOLUME_NAME);
++
++  if (pa >= mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++    {
++      grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
++      goto fail;
++    }
++
++  if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa < 0x16)
++    {
++      grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
++      goto fail;
++    }
++
+   if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10)))
+     {
+       int len;
+ 
+       len = u32at (pa, 0x10) / 2;
+       pa += u16at (pa, 0x14);
+-      *label = get_utf8 (pa, len);
++      if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len)
++        *label = get_utf8 (pa, len);
++      else
++        grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
+     }
+ 
+ fail:
+-- 
+2.19.1
+

backport-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch

@@ -0,0 +1,54 @@
+From 6dc553d0c6ef77518789eb774f76d07f7a2e38c2 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:33:44 +0300
+Subject: [PATCH 4/6] fs/ntfs: Fix an OOB read when parsing bitmaps for index
+ attributes
+
+This fix introduces checks to ensure that bitmaps for directory indices
+are never read beyond their actual sizes.
+
+The lack of this check is a minor issue, likely not exploitable in any way.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7a5a116739fa6d8a625da7d6b9272c9a2462f967
+Conflict:NA
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index c015044..2404566 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -839,6 +839,25 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 
+ 	  if (is_resident)
+ 	    {
++              if (bitmap_len > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++		{
++		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap too large");
++		  goto done;
++		}
++
++              if (cur_pos >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++		{
++		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
++		  goto done;
++		}
++
++              if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) >
++		  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos)
++		{
++		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
++		  goto done;
++		}
++
+               grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14),
+                            bitmap_len);
+ 	    }
+-- 
+2.19.1
+

backport-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch

@@ -0,0 +1,76 @@
+From d5b4e4198fa932e13f3abfec8d4cda1c7709499d Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:33:17 +0300
+Subject: [PATCH 3/6] fs/ntfs: Fix an OOB read when parsing directory entries
+ from resident and non-resident index attributes
+
+This fix introduces checks to ensure that index entries are never read
+beyond the corresponding directory index.
+
+The lack of this check is a minor issue, likely not exploitable in any way.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7e5f031a6a6a3decc2360a7b0c71abbe598e7354
+Conflict:NA
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 4d1fe42..c015044 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -599,7 +599,7 @@ get_utf8 (grub_uint8_t *in, grub_size_t len)
+ }
+ 
+ static int
+-list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
++list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, grub_uint8_t *end_pos,
+ 	   grub_fshelp_iterate_dir_hook_t hook, void *hook_data)
+ {
+   grub_uint8_t *np;
+@@ -610,6 +610,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
+       grub_uint8_t namespace;
+       char *ustr;
+ 
++      if ((pos >= end_pos) || (end_pos - pos < 0x52))
++        break;
++
+       if (pos[0xC] & 2)		/* end signature */
+ 	break;
+ 
+@@ -617,6 +620,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
+       ns = *(np++);
+       namespace = *(np++);
+ 
++      if (2 * ns > end_pos - pos - 0x52)
++        break;
++
+       /*
+        *  Ignore files in DOS namespace, as they will reappear as Win32
+        *  names.
+@@ -802,7 +808,9 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+     }
+ 
+   cur_pos += 0x10;		/* Skip index root */
+-  ret = list_file (mft, cur_pos + u16at (cur_pos, 0), hook, hook_data);
++  ret = list_file (mft, cur_pos + u16at (cur_pos, 0),
++                   at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
++                   hook, hook_data);
+   if (ret)
+     goto done;
+ 
+@@ -889,6 +897,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 			     (const grub_uint8_t *) "INDX")))
+ 		goto done;
+ 	      ret = list_file (mft, &indx[0x18 + u16at (indx, 0x18)],
++			       indx + (mft->data->idx_size << GRUB_NTFS_BLK_SHR),
+ 			       hook, hook_data);
+ 	      if (ret)
+ 		goto done;
+-- 
+2.19.1
+

backport-fs-ntfs-Make-code-more-readable.patch

@@ -0,0 +1,162 @@
+From 85c172921afc3fb9a3533a60df48cfff640a237d Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:40:07 +0300
+Subject: [PATCH 6/6] fs/ntfs: Make code more readable
+
+Move some calls used to access NTFS attribute header fields into
+functions with human-readable names.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e58b870ff926415e23fc386af41ff81b2f588763
+Conflict:NA
+
+Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 48 +++++++++++++++++++++++++++++++--------------
+ 1 file changed, 33 insertions(+), 15 deletions(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index e26dd59..deb058a 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -52,6 +52,24 @@ u64at (void *ptr, grub_size_t ofs)
+   return grub_le_to_cpu64 (grub_get_unaligned64 ((char *) ptr + ofs));
+ }
+ 
++static grub_uint16_t
++first_attr_off (void *mft_buf_ptr)
++{
++  return u16at (mft_buf_ptr, 0x14);
++}
++
++static grub_uint16_t
++res_attr_data_off (void *res_attr_ptr)
++{
++  return u16at (res_attr_ptr, 0x14);
++}
++
++static grub_uint32_t
++res_attr_data_len (void *res_attr_ptr)
++{
++  return u32at (res_attr_ptr, 0x10);
++}
++
+ grub_ntfscomp_func_t grub_ntfscomp_func;
+ 
+ static grub_err_t
+@@ -106,7 +124,7 @@ init_attr (struct grub_ntfs_attr *at, struct grub_ntfs_file *mft)
+ {
+   at->mft = mft;
+   at->flags = (mft == &mft->data->mmft) ? GRUB_NTFS_AF_MMFT : 0;
+-  at->attr_nxt = mft->buf + u16at (mft->buf, 0x14);
++  at->attr_nxt = mft->buf + first_attr_off (mft->buf);
+   at->attr_end = at->emft_buf = at->edat_buf = at->sbuf = NULL;
+ }
+ 
+@@ -154,7 +172,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 		    return NULL;
+ 		}
+ 
+-	      new_pos = &at->emft_buf[u16at (at->emft_buf, 0x14)];
++	      new_pos = &at->emft_buf[first_attr_off (at->emft_buf)];
+ 	      while (*new_pos != 0xFF)
+ 		{
+ 		  if ((*new_pos == *at->attr_cur)
+@@ -213,7 +231,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	}
+       else
+ 	{
+-	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
++	  at->attr_nxt = at->attr_end + res_attr_data_off (pa);
+ 	  at->attr_end = at->attr_end + u32at (pa, 4);
+ 	  pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+ 	}
+@@ -399,20 +417,20 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+ 
+   if (pa[8] == 0)
+     {
+-      if (ofs + len > u32at (pa, 0x10))
++      if (ofs + len > res_attr_data_len (pa))
+ 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+ 
+-      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++      if (res_attr_data_len (pa) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+ 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
+ 
+       if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+ 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
+ 
+-      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
++      if (res_attr_data_off (pa) + res_attr_data_len (pa) >
+ 	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
+ 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
+ 
+-      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
++      grub_memcpy (dest, pa + res_attr_data_off (pa) + ofs, len);
+       return 0;
+     }
+ 
+@@ -556,7 +574,7 @@ init_file (struct grub_ntfs_file *mft, grub_uint64_t mftno)
+ 			   (unsigned long long) mftno);
+ 
+       if (!pa[8])
+-	mft->size = u32at (pa, 0x10);
++	mft->size = res_attr_data_len (pa);
+       else
+ 	mft->size = u64at (pa, 0x30);
+ 
+@@ -801,7 +819,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 	  (u32at (cur_pos, 0x18) != 0x490024) ||
+ 	  (u32at (cur_pos, 0x1C) != 0x300033))
+ 	continue;
+-      cur_pos += u16at (cur_pos, 0x14);
++      cur_pos += res_attr_data_off (cur_pos);
+       if (*cur_pos != 0x30)	/* Not filename index */
+ 	continue;
+       break;
+@@ -830,7 +848,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 	{
+           int is_resident = (cur_pos[8] == 0);
+ 
+-          bitmap_len = ((is_resident) ? u32at (cur_pos, 0x10) :
++          bitmap_len = ((is_resident) ? res_attr_data_len (cur_pos) :
+                         u32at (cur_pos, 0x28));
+ 
+           bmp = grub_malloc (bitmap_len);
+@@ -851,14 +869,14 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 		  goto done;
+ 		}
+ 
+-              if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) >
++              if (res_attr_data_off (cur_pos) + res_attr_data_len (cur_pos) >
+ 		  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos)
+ 		{
+ 		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
+ 		  goto done;
+ 		}
+ 
+-              grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14),
++              grub_memcpy (bmp, cur_pos + res_attr_data_off (cur_pos),
+                            bitmap_len);
+ 	    }
+           else
+@@ -1222,12 +1240,12 @@ grub_ntfs_label (grub_device_t device, char **label)
+       goto fail;
+     }
+ 
+-  if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10)))
++  if ((pa) && (pa[8] == 0) && (res_attr_data_len (pa)))
+     {
+       int len;
+ 
+-      len = u32at (pa, 0x10) / 2;
+-      pa += u16at (pa, 0x14);
++      len = res_attr_data_len (pa) / 2;
++      pa += res_attr_data_off (pa);
+       if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len)
+         *label = get_utf8 (pa, len);
+       else
+-- 
+2.19.1
+

backport-kern-acpi-Skip-NULL-entries-in-RSDT-and-XSDT.patch

@@ -0,0 +1,64 @@
+From 48f569c78a496d3e11a4605b0999bc34fa5bc977 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Mon, 25 Sep 2023 13:58:18 +0800
+Subject: kern/acpi: Skip NULL entries in RSDT and XSDT
+
+During attempts to configure a serial console, a Page Fault Exception
+and system reset were encountered, specifically on release 2.12~rc1.
+This issue was not present in prior versions and seemed to affect only
+a specific machine, potentially pointing to hardware or firmware flaw.
+
+After investigation, it was discovered that the invalid page access
+occurred during the discovery of serial MMIO ports as specified by
+ACPI's SPCR table [1]. The recent change uncovered an issue in GRUB's
+ACPI driver.
+
+In certain cases, the XSDT/RSDT root table might contain a NULL entry as
+a terminator, depending on how the tables are assembled. GRUB cannot
+blindly trust the address in the root table to be valid and should
+perform a sanity check for NULL entries. This patch introduces this
+simple check.
+
+This fix is also inspired by a related Linux kernel fix [2].
+
+[1] 7b192ec4c term/ns8250: Use ACPI SPCR table when available to configure serial
+[2] 0f929fbf0 ACPICA: Tables: Add new mechanism to skip NULL entries in RSDT and XSDT.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=48f569c78a496d3e11a4605b0999bc34fa5bc977
+Conflict:NA
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/acpi.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/grub-core/kern/acpi.c b/grub-core/kern/acpi.c
+index c61115d..48ded4e 100644
+--- a/grub-core/kern/acpi.c
++++ b/grub-core/kern/acpi.c
+@@ -51,6 +51,10 @@ grub_acpi_rsdt_find_table (struct grub_acpi_table_header *rsdt, const char *sig)
+   for (; s; s--, ptr++)
+     {
+       struct grub_acpi_table_header *tbl;
++
++      /* Skip NULL entries in RSDT/XSDT. */
++      if (!ptr->val)
++	continue;
+       tbl = (struct grub_acpi_table_header *) (grub_addr_t) ptr->val;
+       if (grub_memcmp (tbl->signature, sig, 4) == 0)
+ 	return tbl;
+@@ -75,6 +79,10 @@ grub_acpi_xsdt_find_table (struct grub_acpi_table_header *xsdt, const char *sig)
+   for (; s; s--, ptr++)
+     {
+       struct grub_acpi_table_header *tbl;
++
++      /* Skip NULL entries in RSDT/XSDT. */
++      if (!ptr->val)
++	continue;
+ #if GRUB_CPU_SIZEOF_VOID_P != 8
+       if (ptr->val >> 32)
+ 	continue;
+-- 
+cgit v1.1
+

backport-kern-acpi-Use-xsdt_addr-if-present.patch

@@ -0,0 +1,50 @@
+From 4fb58cf0afe83d921e1072d58a4f899696d8fe7e Mon Sep 17 00:00:00 2001
+From: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+Date: Tue, 13 Jun 2023 11:20:51 +0800
+Subject: [PATCH] kern/acpi: Use xsdt_addr if present
+
+According to the ACPI specification, in ACPI 2.0 or later, an
+ACPI-compatible OS must use the XSDT if present. So, we should
+use xsdt_addr instead of rsdt_addr if xsdt_addr is valid.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=4fb58cf0afe83d921e1072d58a4f899696d8fe7e
+Conflict:NA
+
+Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/acpi.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/kern/acpi.c b/grub-core/kern/acpi.c
+index 5746ac0..524c402 100644
+--- a/grub-core/kern/acpi.c
++++ b/grub-core/kern/acpi.c
+@@ -99,12 +99,6 @@ grub_acpi_find_fadt (void)
+   if (fadt)
+     return fadt;
+   rsdpv2 = grub_machine_acpi_get_rsdpv2 ();
+-  if (rsdpv2)
+-    fadt = grub_acpi_rsdt_find_table ((struct grub_acpi_table_header *)
+-				      (grub_addr_t) rsdpv2->rsdpv1.rsdt_addr,
+-				      GRUB_ACPI_FADT_SIGNATURE);
+-  if (fadt)
+-    return fadt;
+   if (rsdpv2
+ #if GRUB_CPU_SIZEOF_VOID_P != 8
+       && !(rsdpv2->xsdt_addr >> 32)
+@@ -115,5 +109,11 @@ grub_acpi_find_fadt (void)
+ 				      GRUB_ACPI_FADT_SIGNATURE);
+   if (fadt)
+     return fadt;
++  if (rsdpv2)
++    fadt = grub_acpi_rsdt_find_table ((struct grub_acpi_table_header *)
++				      (grub_addr_t) rsdpv2->rsdpv1.rsdt_addr,
++				      GRUB_ACPI_FADT_SIGNATURE);
++  if (fadt)
++    return fadt;
+   return 0;
+ }
+-- 
+2.27.0
+

backport-util-grub-mount-Check-file-path-sanity.patch

@@ -0,0 +1,34 @@
+From 3f79e3b158bc4aeef94220db676071cfe69e8a5f Mon Sep 17 00:00:00 2001
+From: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+Date: Wed, 25 Oct 2023 11:54:57 +0800
+Subject: util/grub-mount: Check file path sanity
+
+The function argp_parser() in util/grub-mount.c lacks a check on the
+sanity of the file path when parsing parameters. This results in
+a segmentation fault if a partition is mounted to a non-existent path.
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3f79e3b158bc4aeef94220db676071cfe69e8a5f
+Conflict:NA
+
+Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/grub-mount.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/util/grub-mount.c b/util/grub-mount.c
+index c69889d..bf4c8b8 100644
+--- a/util/grub-mount.c
++++ b/util/grub-mount.c
+@@ -563,6 +563,8 @@ argp_parser (int key, char *arg, struct argp_state *state)
+ 
+   images = xrealloc (images, (num_disks + 1) * sizeof (images[0]));
+   images[num_disks] = grub_canonicalize_file_name (arg);
++  if (images[num_disks] == NULL)
++    grub_util_error (_("cannot find `%s': %s"), arg, strerror (errno));
+   num_disks++;
+ 
+   return 0;
+-- 
+cgit v1.1
+

grub.macros

@@ -114,7 +114,7 @@
 
 ### fixme
 %ifarch aarch64 %{arm}
-%global efi_modules " tpcm "
+%global efi_modules " tpcm_kunpeng "
 %else
 %global efi_modules " backtrace chain usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug "
 %endif

grub.patches

@@ -449,3 +449,19 @@ Patch0448: backport-net-bootp-Fix-unchecked-return-value.patch
 Patch0449: backport-osdep-linux-hostdisk-Modify-sector-by-sysfs-as-disk-sector.patch
 Patch0450: skip-verification-when-not-loading-grub.cfg.patch
 Patch0451: tpcm-support-control-switch.patch
+Patch0452: tpcm-modify-GRUB_IPMI_TIMEOUT_MS-from-7000-to-2000.patch
+Patch0453: backport-CVE-2023-4692-fs-ntfs-Fix-an-OOB-write-when-parsing-the.patch
+Patch0454: backport-CVE-2023-4693-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the.patch
+Patch0455: backport-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
+Patch0456: backport-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
+Patch0457: backport-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
+Patch0458: backport-fs-ntfs-Make-code-more-readable.patch
+Patch0459: backport-commands-acpi-Use-xsdt_addr-if-present.patch
+Patch0460: backport-kern-acpi-Use-xsdt_addr-if-present.patch
+Patch0461: backport-util-grub-mount-Check-file-path-sanity.patch
+Patch0462: backport-kern-acpi-Skip-NULL-entries-in-RSDT-and-XSDT.patch
+Patch0463: backport-commands-acpi-Fix-calculation-of-ACPI-tables-address.patch
+Patch0464: backport-CVE-2024-1048-grub-set-bootflag-Conservative-partial-fix.patch
+Patch0465: backport-CVE-2024-1048-grub-set-bootflag-More-complete-fix.patch
+Patch0466: backport-CVE-2024-1048-grub-set-bootflag-Exit-calmly-when-not.patch
+

grub2.spec

@@ -8,7 +8,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.04
-Release:	34
+Release:	39
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -442,6 +442,46 @@ rm -r /boot/grub2.tmp/ || :
 %{_datadir}/man/man*
 
 %changelog
+* Tue Jun 25 2024 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.04-39
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix log printing in tpcm_kunpeng module
+
+* Wed Mar 6 2024 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.04-38
+- Type:CVE
+- CVE:CVE-2024-1048
+- SUG:NA
+- DESC:grub-set-bootflag: Fix for CVE-2024-1048
+       commands/acpi: Fix calculation of ACPI tables addresses when processing RSDT and XSDT
+       kern/acpi: Skip NULL entries in RSDT and XSDT
+       util/grub-mount: Check file path sanity
+       kern/acpi: Use xsdt_addr if present
+       commands/acpi: Use xsdt_addrifpresent
+
+* Thu Nov 30 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.04-37
+- Type:requirement
+- CVE:NA
+- SUG:NA
+- DESC:change the name of module tpcm to tpcm_kunpeng
+
+* Sun Oct 8 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.04-36
+- Type:CVE
+- CVE:CVE-2023-4692 CVE-2023-4693
+- SUG:NA
+- DESC:fs/ntfs: Make code more readable
+       fs/ntfs: Fix an OOB read when parsing a volume label
+       fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
+       fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes
+       fs/ntfs: Fix an OOB read when reading data from the resident $DATA attribute
+       fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file
+
+* Sun Jun 18 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.04-35
+- Type:requirement
+- CVE:NA
+- SUG:NA
+- DESC:tpcm: modify GRUB_IPMI_TIMEOUT_MS from 7000 to 2000
+
 * Wed Jun 14 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.04-34
 - Type:requirement
 - CVE:NA

tpcm-modify-GRUB_IPMI_TIMEOUT_MS-from-7000-to-2000.patch

@@ -0,0 +1,26 @@
+From 77bdd46676a58e77c38efd82eee1817159ec031b Mon Sep 17 00:00:00 2001
+From: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+Date: Sun, 18 Jun 2023 15:46:37 +0800
+Subject: [PATCH] tpcm: modify GRUB_IPMI_TIMEOUT_MS from 7000 to 2000
+
+Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+---
+ include/grub/efi/tpcm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/grub/efi/tpcm.h b/include/grub/efi/tpcm.h
+index b0265e2..d4cf93b 100644
+--- a/include/grub/efi/tpcm.h
++++ b/include/grub/efi/tpcm.h
+@@ -26,7 +26,7 @@
+ #define FIRMWARE_VERSION_SIZE       32
+ #define FIRMWARE_HASH_CONTENT_SIZE  32
+ #define FIRMWARE_NAME_SIZE          32
+-#define GRUB_IPMI_TIMEOUT_MS        7000
++#define GRUB_IPMI_TIMEOUT_MS        2000
+ 
+ // LUN
+ #define IPMI_BMC_LUN                0x00
+-- 
+2.33.0
+